sixnix/modules/network.nix

{ config, pkgs, ... }:
let
  hostname = "tunnels";
  domain = "example.com";

  resolvers = [ "9.9.9.9" "2620:fe::fe" ];

  egress = {
    interface = "eth0";

    ipv4.gateway = "198.51.100.10";
    ipv4.address = "198.51.100.1/24";

    ipv6.gateway = "fe80::1";
    ipv6.address = "2001:DB8:10:cafe:dcaf::3210/64";
  };

  tunnels = [{
    interface = "wg0";
    serverPort = 51820;
    serverAddress = "2001:db8:de:ff0::1/128";
    clientAddress = "2001:db8:de:ff0::2/128";
    clientSubnet = "2001:db8:de:f00::/60";
    serverPrivateKeyFile = "wg0-server-private";
    clientPublicKeyFile = "wg0-client-public";
  }];
in {

  networking.hostName = hostname;
  networking.domain = domain;

  # Enable systemd-networkd
  systemd.network.enable = true;
  networking.useNetworkd = true;

  # Tools for monitoring/key generation
  environment.systemPackages = with pkgs; [ wireguard-tools tcpdump ];

  # Configure Ethernet interface (eth0)
  systemd.network.networks."10-egress" = {
    matchConfig.Name = egress.interface;
    networkConfig = {
      DHCP = "no";
      IPv6AcceptRA = "no";
      IPv6PrivacyExtensions = "yes";
      IPv6Forwarding = "yes";
    };

    address = [ egress.ipv4.address egress.ipv6.address ];
    gateway = [ egress.ipv4.gateway egress.ipv6.gateway ];

    dns = resolvers;
  };

  imports = [ ./wireguard.nix ];

  wireguard.interfaces = tunnels;

  networking.firewall = { allowedUDPPorts = map (x: x.serverPort) tunnels; };

  networking.nat = {
    enable = true;
    externalInterface = egress.interface;
    internalInterfaces = map (x: x.interface) tunnels;
  };

}
initial commit 2025-08-17 20:37:46 +05:30			`{ config, pkgs, ... }:`
			`let`
			`hostname = "tunnels";`
			`domain = "example.com";`

			`resolvers = [ "9.9.9.9" "2620:fe::fe" ];`

			`egress = {`
			`interface = "eth0";`

			`ipv4.gateway = "198.51.100.10";`
			`ipv4.address = "198.51.100.1/24";`

			`ipv6.gateway = "fe80::1";`
			`ipv6.address = "2001:DB8:10:cafe:dcaf::3210/64";`
			`};`

			`tunnels = [{`
			`interface = "wg0";`
			`serverPort = 51820;`
			`serverAddress = "2001:db8:de:ff0::1/128";`
			`clientAddress = "2001:db8:de:ff0::2/128";`
			`clientSubnet = "2001:db8:de:f00::/60";`
			`serverPrivateKeyFile = "wg0-server-private";`
			`clientPublicKeyFile = "wg0-client-public";`
			`}];`
			`in {`

			`networking.hostName = hostname;`
			`networking.domain = domain;`

			`# Enable systemd-networkd`
			`systemd.network.enable = true;`
			`networking.useNetworkd = true;`

			`# Tools for monitoring/key generation`
			`environment.systemPackages = with pkgs; [ wireguard-tools tcpdump ];`

			`# Configure Ethernet interface (eth0)`
			`systemd.network.networks."10-egress" = {`
			`matchConfig.Name = egress.interface;`
			`networkConfig = {`
			`DHCP = "no";`
			`IPv6AcceptRA = "no";`
			`IPv6PrivacyExtensions = "yes";`
			`IPv6Forwarding = "yes";`
			`};`

			`address = [ egress.ipv4.address egress.ipv6.address ];`
			`gateway = [ egress.ipv4.gateway egress.ipv6.gateway ];`

			`dns = resolvers;`
			`};`

			`imports = [ ./wireguard.nix ];`

			`wireguard.interfaces = tunnels;`

			`networking.firewall = { allowedUDPPorts = map (x: x.serverPort) tunnels; };`

			`networking.nat = {`
			`enable = true;`
			`externalInterface = egress.interface;`
			`internalInterfaces = map (x: x.interface) tunnels;`
			`};`

			`}`